On Mon, Mar 14, 2022 at 05:23:02PM -0700, Cousin Stanley wrote: > Dan Ritter wrote: > > > .... > > Not having Built-Using is just like not having dependencies. > > Thanks for the explanation. > > I can understand the need for the Built-Using list > for the developers that need it. No, it seems you haven't understood. Assume some security issue becomes known for, say, libssl. The developers fix it. The Debian developer integrates the fix into the package (if necessary, by backporting. You, the user, do an apt-get upgrade. The fixed version gets installed in your system, every program using that library is now fine. With go, you have, say, some crypto library linked STATICALLY to 15 programs from as many packages. The bug gets fixed and... nothing happens. Unless... your system knows that those 15 packages were "Built-Using:". That's why you need that metadata. As for why they are shown to you, the system administrator -- well, the installer's decision to install those 15 packages has to be transparent to you. It is, after all, the dark sister of "Depends:" in the statical linking world. Cheers -- t
Attachment:
signature.asc
Description: PGP signature